Forgot your password?
typodupeerror
Security Businesses Apple

Apple Patches Kaminsky DNS Vulnerability 89

Posted by kdawson
from the cache-me-if-you-can dept.
Alexander Burke writes "Apple has just released Security Update 2008-005, which patches BIND against the Kaminsky DNS poisoning issue. 'This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1.' It also closes the script-based local privilege escalation vulnerabilities, the most common examples of which were ARDAgent and SecurityAgent, and addresses other less-publicized security issues as well." A few days back we noted Apple's tardiness in fixing their corner of this Net-wide issue.
This discussion has been archived. No new comments can be posted.

Apple Patches Kaminsky DNS Vulnerability

Comments Filter:
  • by Erie Ed (1254426) on Friday August 01, 2008 @08:53AM (#24431529)
    for a moment there I was worried about what could happen, but then it hit me nothing important runs on apple servers...
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Tons of video artists and mountain climbers publish on Apple servers.

    • Re:Good job apple (Score:5, Informative)

      by MacColossus (932054) on Friday August 01, 2008 @10:23AM (#24433235) Journal
      Quicktime streaming server, podcast producer, Fortune 500 companies with Macs needing a decent AFP stack and Workgroup Manager to control client side privileges on Mac workstations. Another reason might be a desire not to be financially sodomized by Microsoft on CAL's but the admin has a fear of Linux due to inexperience. (Not every GUI junkie has seen Webmin, KDE, Ubuntu desktop and such). A couple of good Mac Server/Administration sites are www.afp548.com and www.macenterprise.org. Hope this has been educational.
    • Re:Good job apple (Score:4, Insightful)

      by catwh0re (540371) on Friday August 01, 2008 @11:05AM (#24434005)
      other than that silly largest music retailer in the usa thing they've been toying with for a while.
    • Re: (Score:1, Flamebait)

      by falcon5768 (629591)
      Hundreds of thousands of education institutions, the US Military (Navy and Army in particular), and a number of Fortune 500 companies are nothing huh?
      • by Shados (741919)

        hundreds of -thousands- of education institutions use apple -server-?

        How many education institutions are there in the freagin world? I can count them on my fingers in my city of 150 thousand people. If there's just 200000 of em (required so it can be "hundredS" with an S), and we estimate 7 billion people on earth (thats much more than there actually is), and EVERY man, woman and child on earth, including babies, 3rd world country people, etc, attend on average 1 institution (I realise some people attend mo

      • Hundreds of thousands of education institutions, the US Military (Navy and Army in particular), and a number of Fortune 500 companies[Citation Required]

        Fixed that for ya.

      • by linuxpyro (680927)

        It depends too on what they're running on the servers; I'm sure several say Xserve installations run something YellowDog. Just a thought.

    • Except for the army's web server...

  • by PsyQo (1020321) on Friday August 01, 2008 @08:56AM (#24431577)
    They might have been slow with this patch, but boy does it look good!
    • by 4D6963 (933028) on Friday August 01, 2008 @09:10AM (#24431851)

      They might have been slow with this patch, but boy does it look good!

      No OS X 10.3 version. Less secure than the PF workaround. Lame.

    • It seems to do more than patch DNS; my whole system is a lot snappier because of it. And I haven't even installed it yet!

  • Ahhhhhh (Score:5, Funny)

    by segedunum (883035) on Friday August 01, 2008 @08:57AM (#24431599)
    The Slashdot effect that can make Apple actually patch something.
  • by Anonymous Coward on Friday August 01, 2008 @08:58AM (#24431623)

    ISC seems to think so : http://isc.sans.org/diary.html?storyid=4810

    Anybody care to test it for real using both an apple server and laptop, using dnsoarc, to get some real info?

  • by Katchina'404 (85738) on Friday August 01, 2008 @09:00AM (#24431665) Homepage

    As much as I love Apple, it bothers me that they do not release security patches for versions earlier than n-1 (where n is the current release).

    Mac OS X 10.3 server dates back to October 2003 (http://www.apple.com/pr/library/2003/oct/08pantherserver.html), so it's just short of 5 years. It's not THAT old, especially for a server products that's likely to be used in some SMEs.

    Or is 10.3 not affected ?

    • by MobyDisk (75490)

      Who runs a critical server like DNS on a version of the OS that is 5 years old?

      • Who runs a critical server like DNS on a version of the OS that is 5 years old?

        SMEs using a local DNS cache ? Well, of course they shouldn't do it considering the OS is not maintained anymore. But this does not make their desire to do it any less legitimate.

        You can't blame SMEs wanting to use an asset that still has value in their books. Depreciating a server over a 5 years lifespan doesn't even seem all that unreasonable.

      • Re: (Score:3, Insightful)

        by Macthorpe (960048)

        Well, Microsoft [microsoft.com], a company famed around here for 'planned obsolescence', managed to patch both XP and 2000. You'll note that both of those are more than 7 years old.

        • Re: (Score:3, Insightful)

          by MobyDisk (75490)

          I really am surprised that they patched Windows 2000. But Microsoft has never released an OS to replace XP yet. :)

      • by Phroggy (441)

        Who runs a critical server like DNS on a version of the OS that is 5 years old?

        Who upgrades the operating system on a critical server like DNS more often than every 5 years? I usually only reboot my servers about once a year, and you want me to reinstall the OS every time I do?

      • Mountain Climbers?
    • by Graff (532189)

      As much as I love Apple, it bothers me that they do not release security patches for versions earlier than n-1 (where n is the current release).

      You know that under the hood Mac OS X is Unix. It's not that hard to simply get the latest version of Bind and install it yourself. Here are some simple instructions [tidbits.com] on how to do it but it's basic stuff that any system administrator should know. (Personally, I'd install it in /usr/local instead of /usr and symlink to that rather than blowing away the version installed by Apple but then again that's something any computer admin worth his salt should also know.)

      Apple doesn't patch versions of Mac OS X that

    • by Phroggy (441)

      As much as I love Apple, it bothers me that they do not release security patches for versions earlier than n-1 (where n is the current release).

      Mac OS X 10.3 server dates back to October 2003 (http://www.apple.com/pr/library/2003/oct/08pantherserver.html), so it's just short of 5 years. It's not THAT old, especially for a server products that's likely to be used in some SMEs.

      Or is 10.3 not affected ?

      As much as I love Linux, it bothers me that many Linux distributions are even worse. For example, Fedora Core 6 and Ubuntu 6.10 were both released in October 2006 (a year and a half after the still-supported Mac OS X 10.4), but support for both of them was dropped several months ago.

      And yes, of course Mac OS X 10.3 is affected.

  • by homesnatch (1089609) on Friday August 01, 2008 @09:11AM (#24431869)

    Someone mentioned that Apple's delay was due to the patch causing a problem with some environment... Maybe Apple had to take the extra time to get it right.

    I would have preferred that Redhat did as well... The Redhat ES 4 patch for BIND left a couple of my DNS domains offline for a few hours.

    • Re: (Score:3, Funny)

      by itsdapead (734413)

      Maybe Apple had to take the extra time to get it right.

      What, you mean, like, actually realize that any sort of hasty patch to a production system carries a risk of downtime or data loss which has to be weighed up against the risk posed by a security vulnerability?

      Nah - never attribute to rationality that which can be satisfactorally explained by incompetence.

  • leopard and syslogd (Score:5, Informative)

    by Speare (84249) on Friday August 01, 2008 @09:25AM (#24432105) Homepage Journal

    Now if only they'd fix the 100% CPU syslogd problem that's been around since Leopard's release. leopard syslogd [google.com] I don't use TimeMachine at all, so most people's theories implicating TM is probably not accurate. I'll leave the MBP on overnight and when I wake up the CPU heat is way above normal because syslogd crapped itself again. (The fan speed vs CPU heat function is also pretty sucky.) Some video glitches even start appearing when the CPU heat stays high for a while. I'm going to just kill it hourly by cron, but Apple should also get its butt in gear and just fix it.

    • by Anonymous Coward on Friday August 01, 2008 @10:02AM (#24432769)

      Fix the syslogd problem:

      launchctl stop com.apple.syslogd

      rm -rf /var/log/asl.db

      launchctl start com.apple.syslogd

    • by whyloginwhysubscribe (993688) on Friday August 01, 2008 @10:19AM (#24433135)
      It must be bad - even cuil has hits relating to this: http://www.cuil.com/search?q=leopard+syslogd [cuil.com]
    • Re: (Score:3, Interesting)

      by illumin8 (148082)

      Now if only they'd fix the 100% CPU syslogd problem that's been around since Leopard's release. leopard syslogd I don't use TimeMachine at all, so most people's theories implicating TM is probably not accurate.

      Dude, that problem has been around since October of 2007, when Leopard was first released. It's been fixed and I think it's related to spotlight trying to index your syslog files. Seriously, if it's still bothering you that much, google for a fix or call Apple tech support.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      "Aha! A Slashdot article about an unrelated bug on Apple machines being fixed! Now that I have Apple's undivided attention, I'll mention a completely different bug in Slashdot's comment system! THAT'LL get it fixed!"

  • by Anonymous Coward

    The release notes for this patch say Bind "is not enabled by default". Why is everyone leaving out that detail when most of us do not run servers.

    • by jscotta44 (881299)

      This is /. Don't expect a reading of the article. Even if, by chance, the article happened to be read, don't expect a rational response. Many here like to practice their technology religion, in spite of facts. Please don't confuse them by trying to act and post rationally yourself.

  • by MacColossus (932054) on Friday August 01, 2008 @10:40AM (#24433587) Journal
    http://www.zdnet.com.au/news/security/soa/DNS-patch-causes-BIND-blunder/0,130061744,339290928,00.htm [zdnet.com.au] Could this have been what took Apple so long? Not as entertaining as posting "Apple sucks", but worth a look nonetheless.
    • Could this have been what took Apple so long? Not as entertaining as posting "Apple sucks", but worth a look nonetheless.

      That's an interesting theory, but doesn't look too likely. The flawed patches are the ones ending in "P1" which seem to be what OS X systems are upgraded to. Maybe they worked around that with other code, but there is not really any evidence to support that theory. Someone should probably test it.

  • by Timothy Brownawell (627747) <tbrownaw@prjek.net> on Friday August 01, 2008 @11:09AM (#24434089) Homepage Journal
    At least they're down to only using his name twice in the summary, even if one of them is in the title... I'd been starting to wonder if all the articles about the DNS bug were really just about how l33t he was for publicizing it and having it fixed.
  • by Anonymous Coward

    http://www.juniper.net/security/auto/vulnerabilities/vuln30131.html [juniper.net]

    That's a whopping list of vulnerable stuff there.
    I wonder if Apple took a survey, of who was still using older versions.
    I have read probably over 40% of internet users don't use updated browsers. http://blogs.stopbadware.org/articles/2008/07/01/forty-percent-of-users-use-insecure-web-browser [stopbadware.org]
    If that many users can't update browsers, how many can update their OS? Especially since browsers (and updates) are mostly free, you'd think they'd be mo

"In order to make an apple pie from scratch, you must first create the universe." -- Carl Sagan, Cosmos

Working...